Earlier this week, the U.S. District Court of Minnesota awarded class-action status to a lawsuit filed against Target, seeking remunerations from the retailer's 2013 data breach.
During the holiday season of 2013, Target's system was hacked, which cause the loss of credit card information for more than 100 million customers. Earlier this year, the retail giant reached a settlement with both MasterCard and Visa for the incident. The card companies in these settlements represented the issuers of their cards affected in the breach, and awarded a portion of the settlement to them, accordingly.
Unfortunately for Target, those settlements didn't go as planned. In June, major banks, such as Citigroup, Capital One and J.P. Morgan Chase, all rejected the MasterCard settlement and now five smaller banks are seeking further compensation.
Umpqua Bank, Mutual Bank, CSE Federal Credit Union and First Federal Savings of Lorain filed suit against Target looking for them to cover expenses involved with handling customer concerns surrounding the breach. The group claims that they, collectively, replaced 25,000 debit and credit cards, costing them nearly $30 million.
The ruling doesn't award the banks that money, however, it simply validates their class-action status, which allows them to file as a group. Target tried to prevent this, as their collective status likely gives them more bargaining power, by saying that the re-issuing of cards wasn't required by law. The judge found this argument "absurd."
"What Target suggests is that … financial institutions should have done nothing in the face of dire alerts regarding the data breach," Judge Paul Magnuson wrote in his ruling. "The absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards, both debit and credit, in the weeks after the breach."
Almost two years later, Target is still dealing with the fallout from this massive hack. Though no company hopes something like this will happen to them, this is the perfect example of why businesses need an robust disaster recovery plan. Companies that have yet to develop their own disaster recovery strategy can partner with a business continuity consultant that has extensive experience with these issues.